2

My mysql_real_escape_string is being ignored. It's killing me, because I feel like it's something tiny that I'm missing.

The $htmlText variable comes from a TinyMCE editor where the text is rendered as HTML i.e. with tags etc.

<?php 
    /*--------GLOBAL PROCEDURES--------*/
    session_start();
    require "../scr/config-data.php.inc";
    mysql_connect($host,$username,$password) or die 
    ("Could Not Connect".mysql_error());
    mysql_select_db($db) or die ("Could Not Connect".mysql_error());

    /*-----SEVERAL SELECT/INSERT QUERIES, ALL WORKING FINE-----*/

    /*--------SPECIFIC PROCEDURES-------*/      
    if($_POST['submit']){
        //Check that POS has been chosen
        $htmlText = mysql_real_escape_string($_POST['cust']);
        if($htmlText != ""){
            mysql_query("INSERT INTO table VALUES(NULL, '$htmlText' )") or die(mysql_error());
        }else{
            $feedback = "Please Enter some text into the editor";
        }
    }

    /*--------CLOSING PROCEDURES-------*/
    mysql_close();

?>

The strange thing is, it's been adapted from a script that works, only changing the variable names. I'm getting an Error in MySQL syntax. It's also not escaping the HTML in the text so I'm getting this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order VALUES(NULL, '

sfgafgafs

')' at line 1
Improve this question
3
  • What error message do you get for what example input? Commented Jan 21, 2011 at 14:26
  • the above error message is given, but the particular field should be <p>sfgafgafs</p> when escaped, but it's rendering it as HTML Commented Jan 21, 2011 at 14:27
  • Is your table named "order" ? Try changing that to order (backticks) Commented Jan 21, 2011 at 14:29

4 Answers 4

Reset to default
6

From the error message given by you it looks like you are using order as the table name which happens to be a MySQL reserved word.

Try enclosing it in back ticks.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks! I did this about a week ago with the word add... Didn't learn from my own mistakes by the looks of things, cheers!
2

mysql_real_escape_string will not escape any html. It only escapes \x00, \n, \r, \, ', " and \x1a.

Your table's name should not be "order", because it is an SQL special word. You should rename it or make sure that you put it in backticks.

Improve this answer

2 Comments

no, it's order but I changed it to table just for the example, to take it out of the context. But luckily, when I pasted my error message I'd left the word Order in, it's a reserved word :( thanks anyway!
table is also a reserved word BTW
2

I too believe the reason is due to the table name being 'order', as mysql takes it like you are trying to use the order clause in an insert query, change the table name to something else..

Improve this answer

1 Comment

the accepted answer said that over 2 months ago. I backticked the table name and it worked. Thanks for the effort, but your a little late for this one
0

Looks like your missing the Link Identifier?

string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )

Improve this answer

2 Comments

You do know that the link identifier is optional right? "If link_identifier isn't defined, the last MySQL connection is used."
I thought it was required, next time ill just post comments so i dont lose any points!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.